Community News: A certain web3 project's contract may have been implanted with malicious code by an employee, resulting in losses of hundreds of thousands of dollars.

According to a report from the deep tide TechFlow on April 28, a Web3 startup project had hundreds of thousands of USDT transferred away due to a hard-coded authorized wallet address in the smart contracts code, as disclosed by crypto community member Cat (@0xCat_Crypto). In this incident, the contract code submitted by an employee was suspicious, but the employee denied writing the related code, claiming that the malicious code was automatically generated by an AI programming assistant and was not adequately reviewed. Currently, the vesting of the wallet involved cannot be confirmed, and it is also difficult to identify the entity that wrote the code.

Slow Fog Yuxian stated that after preliminary investigation, under the environment using the Cursor and Claude 3.7 models, the AI auto-completed address did not match the malicious address involved, ruling out the possibility of AI code generation being malicious. The malicious address has smart contracts owner permissions, resulting in the complete outflow of funds from the project party.